8, AUGUST 2010


A Novel User Authentication Scheme Based on QR-Code
Kuan-Chieh Liao
Department of Accounting & Information Systems, ASIA University, Taichung, Taiwan, R.O.C. Email:

Wei-Hsun Lee
Department of Information Science and Applications, ASIA University, Taichung, Taiwan, R.O.C. Email:

Abstract—User authentication is one of the fundamental procedures to ensure secure communications and share system resources over an insecure public network channel. Thus, a simple and efficient authentication mechanism is required for securing the network system in the real environment. In general, the password-based authentication mechanism provides the basic capability to prevent unauthorized access. Especially, the purpose of the one-time password is to make it more difficult to gain unauthorized access to restricted resources. Instead of using the password file as conventional authentication systems, many researchers have devoted to implement various one-time password schemes using smart cards, time-synchronized token or short message service in order to reduce the risk of tampering and maintenance cost. However, these schemes are impractical because of the far from ubiquitous hardware devices or the infrastructure requirements. To remedy these weaknesses, the attraction of the QR-code technique can be introduced into our one-time password authentication protocol. Not the same as before, the proposed scheme based on QR code not only eliminates the usage of the password verification table, but also is a cost effective solution since most internet users already have mobile phones. For this reason, instead of carrying around a separate hardware token for each security domain, the superiority of handiness benefit from the mobile phone makes our approach more practical and convenient. Index Terms—one-time password; user authentication; QRcode; mobile phone

to establish the trust relationship under open network environments. Password-based authentication scheme is the most common method to check the validity of the login message and authenticate the user. One-time password is a password that is only valid for a single login session or transaction. The one-time password avoids various shortcomings associated with traditional static password, such as replay attack, dictionary attack, and phishing attack. This means that, if a potential intruder manages to record a one-time password that was already used to log into a service or to conduct a transaction; he will not be able to abuse it since it will be no longer valid. Therefore, the purpose of the one-time password is to make it more difficult to gain unauthorized access to restricted resources. On the hand, one-time password schemes cannot be memorized by human beings. For this reason, they require additional technology in order to work. Basically one-time password schemes can be classified into the following four categories: Based on the mathematical algorithm In 1981, Lamport [8] first proposed the one-time password authentication scheme by using the one-way hash chain. However, if an indefinite series of passwords is wanted, a new seed value need to be chosen after the set of old hash chain is exhausted. Especially, maintaining a password file to verify the user’s authentication request also increases the risk of tampering and maintenance cost. For this reason, many researchers [1][3][4][11][16][18] have proposed various user authentication schemes using smart card to improve the security, the cost or the efficiency. Based on the smart card Due to the tamper-resistance and convenience in managing a password file, smart cards have been widely adopted in many remote authentication schemes [1][3][4][11][16][18]. However, carrying around the cards and the reader remains a burden to users. Since the card and the reader are far from ubiquitous, thus this B. A.

I. INTRODUCTION With the rapid development of computer network technologies, more and more computers connect together to exchange great information and share system resources. Security is then an important issue for computer networks. To prevent the information from being accessed by illegitimate or unauthorized users, remote authentication of users is certainly one of the most important services. User authentication is the essential security mechanism
Manuscript received May 20, 2009; revised November 30, 2009. The associate editor coordinating the review of this paper and approving it for publication was Dr. Hsing-Chung Chen.

© 2010 ACADEMY PUBLISHER doi:10.4304/jnw.5.8.937-941

RSA [15]. Recently. Therefore. various properties. QR-codes are part of daily life in Japan. or stores the information on their mobile devices. Moreover. C. it has become possible to take the electronic components associated with regular key fob one-time password tokens such as those from InCard [6]. II. The mobile phones with embedded camera can capture the QR-codes and decode them with software running on the phone [2]. It contains information in both vertical and horizontal directions. D. depending on the type of data recognized and the nature of the application. and China. Hong Kong. Many cellular phones with embedded camera nowadays are natively equipped with the QR-code decoding software. the SMS based scheme till incurs extra charges. it is impractical and is not necessarily a low total cost solution. advertisements. In Section IV. such as the large capacity. but they will not guarantee it will get there. since the QR-code applications with mobile phones can derive the benefits inherited from QR-code. Compared to classical barcode. Besides. Figure 1. it is very interest to devise a solution which can overcome these drawbacks. or a definite application can be executed.953 bytes of binary (8 bits). 8. paying a fee and URL reading [10][13][19]. SMS is a best effort delivery. the damage resistance and the data robustness. manipulates. which means that the phone company will try to deliver it. 2. alternative actions can follow the decoding stage: a phone number can be automatically dialed. our approach could be more convenient since the users would not need to carry around a separate hardware token for each security domain to which they require access. . Based on the Short Message Service (SMS) Since SMS is a ubiquitous communication channel and being available in all handsets. Thus. Figure 2. In Section III. SafeNet [9]. However. AUGUST 2010 obstacle has restricted the application of smart card based authentication schemes. as the creator intended the code to allow its contents to be decoded at high speed. It should be noted that one-time passwords should have a time to live as a security feature. Korea. product wrappings. BASIC CONCEPT OF THE QR-CODE The QR-code [7] is a two-dimensional barcode introduced by the Japanese company Denso-Wave in 1994. Taiwan. the © 2010 ACADEMY PUBLISHER feasibility evaluation and security analysis are discussed. Thus.938 JOURNAL OF NETWORKS. VOL.296 characters for alphanumeric data. for the same reason as the smart card based schemes. Based on the time-sychronized token The time-synchronized one-time passwords are usually related to physical hardware tokens. due to QR-codes now appear in magazines. Section II gives the basic concept of the QR-code. Moreover. QR-code encoding diagram. So an interesting approach proposed in this paper is adopting the widely used QR-code technique to support the one-time password system. These above-mentioned obstacles have obviously restricted the practicability of the one-time password authentication schemes. Meanwhile. With the aid of the equipment. This paper is organized as follows. Figure 1 and Figure 2 illustrate the QR-code encoding and decoding diagrams respectively. this paper concludes in Section V. the small printout size. Finally. 4. there are many advantages to use the QR-code in mobile phones such as omni-direction readability and error correction capability. benefit from the mobile device make our approach more practical. QR-Code also has error correction capability. these approaches are also inconvenient because of the cost of one-time password hardware and the infrastructure requirements. 5. NO. the high speed scan. whereas a classical barcode has only one direction of data.089 characters for numeric only. a web page corresponding to the decoded URL can be displayed in a mobile browser. and Vasco [17]. such as mobility and handiness. mobile phones adopt the QR-code to support many services nowadays such as booking tickets. However. a QR-code can hold a considerably greater volume of information: 7. Inside the token is an accurate clock that has been synchronized with the clock on the authentication server. the proposed QR-code based one-time password authentication scheme is given. Due to the rapid advances in mobile communication technologies. In addition. QR-code decoding diagrams. QR-code [7] in the embedded camera devices has been used as new input interfaces. The “QR” is derived from “Quick Response”. Data can be restored even when substantial parts of the code are distorted or damaged. a short text message can be sent. For this reason. it’s simply for a human to manually decode QR-codes and then displays. or if it does how long it will take. Thus.

T2). QR-codes are virtually unknown outsides of Asia. then SP is convinced that User A is validated. Besides. assume that a User A with an embedded camera mobile device wants to join the system. and α = r ♁ xA. the steps for verification phase are also shown in Figure 4. The notation in TABLE I is employed throughout this paper. business cards and on subway billboards in Japan. the steps for Registration phase are shown in Figure 3. Then. T1. A. Notation h(·) EQR(·) DQR(·) s T1 . h(r. most current Japanese mobile phones can read this code with their camera. Otherwise. T1. for camera phones that are not equipped with QR-code readers. © 2010 ACADEMY PUBLISHER . If it is invalid. PROPOSED SCHEME The major concern of our scheme is to make use of the deployed widespread QR-code techniques in order to eliminate the drawbacks of the prior one-time password schemes. 1) User A sends his identity IDA to SP. T2 NOTATION Description An one-way hash function A function that encodes data into QR-code image A function that decodes the QR-code image captured in an embedded camera device SP’s long-term secret key Time stamps B. Besides. and T2 to User A. VOL. 4) SP examines whether the time stamp T3 is correct. therefore he can take a picture of the QR-code image and then decode it. the request is rejected. then User A sends h(r. If holds. NO. (2) and then sends EQR(α). passports. 8. However. T3) and T3to SP. Verification Phase The verification phase is shown as follows. T2. TABLE I. s) (1) and sends xA to User A’s mobile device via a secure channel. AUGUST 2010 939 T-shirts. The proposed scheme involves two parties: a service provider (SP for short) and remote users. 3) User A’s mobile device stores xA as the long-term secret key. (3) with his embedded camera devices. Otherwise. 5. In addition. The convenient integration of the web-based application and the mobile devices’ usage makes our scheme more practical. he checks whether h(r. Our scheme is divided into two phases: Registration and Verification phases. Otherwise. Figure 4. [14] Fortunately. Verification phase. SP and User A carry out the following registration procedures. T2) is correct. s). where T1 is the time stamp attached by the User A. where T2 is the time stamp attached by the SP. If it is invalid. After that. QuickMark [12] and I-nigma [5] both provide free tools that are available for many manufactured models and devices to decode QR-Codes simply. he chooses a random number r. User A examines whether h(r. III. T2. Figure 3. 1) User A sends IDA and T1 to SP. computes xA = h(IDA. Registration phase. 2) SP computes xA = h(IDA. If holds. then rejects it. Each authorized user can request service from SP with the granted access rights. he derives r by computing r = DQR(EQR(α)) ♁ xA. each user hold a mobile phone with embedded camera. T3) is correct. If it is invalid. at a consumer market level.JOURNAL OF NETWORKS. then rejects it. Registration Phase Without loss of generality. then rejects it. 3) User A examines whether the time stamp T2 is correct. 2) SP examines whether the time stamp T1 is correct. Otherwise.

2009. [2] T. 2000. Security analyses 1) Security risk of the user’s mobile phone Since the mobile phone has the user’s long-term secret key. In addition. because the burden of carrying a separate hardware token or extra charges from the Short Message Service can be removed. “Weaknesses and improvements of the Yoon–Ryu–Yoo remote user authentication scheme using smart cards. Also. “Password authentication with insecure communication. Jan.aspx. our approach could be more convenient. CONCLUSION In the humanistic society today. On the other hand. Hwang and L. because he still cannot derive xA without the knowledge of s. pp. it can be observed that it is infeasible to obtain the valid user’s long-term secret key xA without the knowledge of the corresponding random number r. Chien. T2. REFERENCES [1] H. therefore. but also is a cost effective solution since most internet users already have mobile phones. the service provider will reject it. March. according to the foregoing discussions. [6] InCard DisplayCards: Retrieved November 2009 from: http://www. 1981. H. No. 32. 1. 46. the mobile device isn’t directly exposed to other malicious VOL. AUGUST 2010 IV. under this reasonable assumption. some possible attacks against the proposed scheme are taken into account. r is a random number chosen by SP from time to time. the attack of impersonating CA will also fail. [9] OTP Authenticators. and Y. it needs to be well-protected. 24. pp. the user’s mobile phone takes the responsibility for capturing the QR-code image and decoding them. it can be seen that the proposed authentication protocol based on QR-code is efficient and practical. from the view point of the user’s computer. Y. T2) and h(r. “Two-Dimensional Bar-code Decoding with Camera-Equipped Mobile Phones. instead of using an extra random number generator. “Retrieved November 2009 from: http://www. 4) Man-in-the-middle attack and replay attack Suppose that the intruder replays a legal request with time stamp T3 intercepted from the public channel and the SP receives the access request message at the time T3’. 21. C. Without the random number generator loading.html. the contribution is therefore obviously. no extra cost is necessary to create and maintain the password table for storing each user’s long-term secret key. [3] H. 28–30. Shih. Tseng. 19-23.inigma. 649-652. 11. On the other hand. 2002. Thus. Since that T3’-T3 is not less than the legal time interval. the risks generated by the mobile phone will be significantly reduced. [5] I-Nigma: Retrieved November 2009 from: http://www. NO. 770-772. T3). Thus. it is still infeasible to derive r from h(r. Thus. the design for daily product or various systems must be designed under the consideration of human habits and convenience as well as daily product. 3) Security risk of the remote user According to equation (2) and (3). [4] M. The motivation of this paper is the first to propose a QR-code based one-time password authentication protocol. “An efficient and practical solution to remote authentication: smart card. Vol. Hsiang. if an adversary intercepts the information being transmitted over the public channel. Fortunately. from the view point of the service provider. Falas. For this reason. No. J. which not only eliminates the usage of the password verification table. 2007. because that the one-way hash function is without maintaining a password file to verify the user’s authentication request can decrease the risk of tampering and maintenance cost successfully. both the man-in-the-middle attack and the replay attack will fail. it is consequently more efficient and suitable for the remote user. it can be observed that the embedded camera mobile device only need to carry out a QR-code decoding operation and a logical operation. Information technology-Automatic identification and data capture techniques-Bar code Symbology-QR Code. Vol. the mobile phones with embedded camera in our scheme only capture the QR-code and decode them with software running on the phone. S.” Computer Communications. Kashani. © 2010 ACADEMY PUBLISHER . In addition. Accordingly. A. pp. 2000 [8] L. Vol. 2) Security risk of the SP It is infeasible for an attacker to derive SP’s secret values s according equation (1). it is obviously to see that the overall computational load is Feasibility Evaluation According to equation (3).” Proceedings of the Fifth Annual IEEE International Conference on Pervasive Computing and Communications Workshops. pp. Li. exclusive OR. H. Accordingly. because that the one-way hash function is unreversable. From the user’s vision.940 JOURNAL OF NETWORKS.” IEEE Transactions on Consumer Electronics.safenetinc. 8. Therefore. M. pp. Vol. 597-600. B. Issue 4.” Computers & Security. the time stamps T1 and T3 are applied to strengthen the security of the one-time password r. T1. K. 372– 375. instead of adopting the traditional smart card in our scheme.” Communications of ACM. Thus. Lamport. K. V. “A new remote user authentication scheme using smart cards. On the other hand. [7] ISO/IEC 18004:2000. W. 5. the feasibility evaluation of the operations in the mobile phone is especially discussed in this section.incard. No. 4. DISSCUSSIONS In the proposed QR-code based remote authentication model.

31-33. Taichung. April 2006. Wang. NO. Kuan-Chieh Liao was born in Taichung.” IEEE Transactions on Consumer Electronics. His current research interests include information security. Since August 2008. Issue 4. degree from the Computer Science & Information Engineering. T. in 2008.” Proceeding of the Seventh IEEE Workshop on Mobile Computing Systems and Applications. S. M. . Feng. © 2010 ACADEMY PUBLISHER . Taichung. pp.S. W. cryptography. Berlin. Taiwan. 2000. “An improved smart card based password authentication scheme with provable security. USA. “An application and implementation of two-dimensional symbols for circuit board quality control system. and D. Washington DC. [17] VASCO. 1979. Lazowska. [16] H. [18] J. [11] M.” Proceedings of the Third International Multi-Conference on Computing in the Global Information Technology. Li. degrees in Department of Information Engineering & Computer Science from Feng Chia University. His current research interests include cryptography.397-401.” Computer Standards & Interfaces. [13] J. and electronic commerce. pp. 4. [12] Quickmark. pp. Y. Volume 31. 1999. “Secure remote user access over insecure networks. AUGUST 2010 941 [10] T. 5.” Proceedings of the ACM Conference on Human Factors in Computing Human Interaction.quickmark. [15] RSA SecureID. 50-55. He.aspx?id=1156.S. Taiwan. Retrieved November 2009 from: http://www. Pittsburgh. He received his B. Vol. 660-667. and L. Rouillard. Parikh and E. Yu. Issue 1. and network security. Rekimoto and M. steganography. Retrieved November 2009 from: http://www.D.aspx.. 2006. ASIA University. Taiwan on September 23. 2004.” Proceedings of the 2nd IEEE International Conference on Industrial Informatics. pp. pp. 1986. and Ph. He is currently pursuing his M. D. Peyravian and C. “Designing an architecture for delivering mobile information services to the rural developing world. Greece.vasco. Z. Saitoh. 15-20 May. Retrieved November 2009 from: http://www. “Augmented Surfaces: A Spatially Continuous Work Space for Hybrid Computing Environments.” Computer Communications. [19] G. Jeffries. in 2001. he has been with Accounting and Information Systems Department at Asia University. [14] J. “An efficient remote user authentication scheme using smart cards. Taiwan. Wei-Hsun Lee was born in Taipei. pp. Vol.S.rsa. ASIA University. 2008. 46. No. G.S. as an Assistant Professor. He received his B. degree in Department of Information Science and Applications. Taichung. Zhu.JOURNAL OF NETWORKS. 8. PA. 2002 and 2007 respectively. 26 June. Xu. M. Athens. 958-961. Taiwan on April 19. June 2009. July 27 – August 1. “Contextual QR Code. pp. 29.

Sign up to vote on this title
UsefulNot useful